sshd setup

I’m sure this is a FAQ but searching on sshd came up empty. Odd…

Anyway. I’m trying to start up sshd from scratch and for some odd reason, all I can do is get sshd to listen to port 22 even though I changed /etc/ssh/sshd_config to port 5022 and changed the listen address to 192.168.1.52, the box’s fixed eth0 IP addy. If I do

ssh system@samewise.pinefields.com -p 22
sshd replies (only works over the local net - as expected). Of course I restarted and reloaded with both /etc/init.d/sshd and rcsshd - no change. The firewall is currently off altogether (the router itself is firewalled, of course). So…

A) Why can’t I get sshd to use port 5022?
B) When sshd does come up on port 22, why is it denying my password for username system, even though that username is OK from a simple terminal login?

RBEmerson wrote:

>
> I’m sure this is a FAQ but searching on sshd came up empty. Odd…
>
> Anyway. I’m trying to start up sshd from scratch and for some odd
> reason, all I can do is get sshd to listen to port 22 even though I
> changed /etc/ssh/sshd_config to port 5022 and changed the listen address
> to 192.168.1.52, the box’s fixed eth0 IP addy. If I do > ssh
> system@samewise.pinefields.com -p 22 sshd replies (only works over the
> local net - as expected). Of course I restarted and reloaded with both
> /etc/init.d/sshd and rcsshd - no
> change. The firewall is currently off altogether (the router itself is
> firewalled, of course). So…
>
> A) Why can’t I get sshd to use port 5022?
> B) When sshd does come up on port 22, why is it denying my password for
> username system, even though that username is OK from a simple terminal
> login?

Since you are behind the router firewall, have you configured that to
forward port 5022 to your machine (192.168.1.52)?


Will Honea

Not yet. I have another Linux box, also behind the router, running sshd for “production” and don’t want to break that.

Remember, if I use “ssh user@samwise.pinefields.com -p 22”, then I can at least get samwise’s sshd to acknowledge I’m knocking on port 22, even if I can’t come up with the right password. The other box, wxsat, uses another port (very much not port 22) and it works like a charm. That’s part of my problem, what works under openSUSE 10.3 (wxsat) should work with 11.3 (samwise) and it doesn’t. Which means some rules about config files or something has changed from 10.3 to 11.3. And that’s what’s driving me nuts.

Added: samwise.pinefields.com is defined in samwise’s /etc/hosts as “192.168.1.52 samwise.pinefields.com samwise”. In other words, samwise should know how to find samwise.pinefields.com and it seems that it does know the way to samwise’s port 22. Even though /etc/sshd/sshd_config has “port 5022”. [/headscratch]

Do ssh -v -p 5022 user@192.168.1.52 to make sure it’s not a name resolution issue.

Progress! I’m in on port 5022 as best I can tell (netstat doesn’t show anything about port 5022), and the password issue didn’t arise. That is, I signed in as I would for a normal terminal session. Other than adding the verbose switch, what has changed? Does the port argument ( -p ) belong before the user@addy section of the command? I wrote ssh system@samwise.pinefields.com -p 5022 in my initial trials.

DOH… just answered my own question… the difference is samwise.pinefields.com triggers a DNS lookup and I get back an IP that I don’t immediately recognize. It seems to be a Network Solutions DNS server or something close to it, but it’s nothing I expect to find. That’s odd, because I thought the /etc/hosts entry would take precedence. What am I not understanding in this mess with the address?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try one more quirky thing for me, if you please:

ssh -4 system@samwise.pinefields.com -p 5022

If that works then it’s worth noting this is possibly related to IPv6 (or,
more-precisely, DNSv6).

I’ve seen something somewhat similar and peculiar to me as well, though
not really related to /etc/hosts at all. While at home, work, and all
over all is well (laptop has IPv6 explicitly disabled in YaST so that’s
great). With that said at my grandmother-in-law’s home one day I could
not get online. Pinging worked, network settings were correct, but
Firefox was upset with life. Chrome worked as I recall so that was neat
and led me to this solution:

http://support.mozilla.com/en-US/kb/Firefox+cannot+load+websites+but+other+programs+can

Search for IPv6 on that page. Doing that fixed me up nicely. It SEEMS
(I’m not an expert in this so please, somebody, tell me what really
happens) that some applications decide to find their own domain name
information directly from configured nameservers instead of relying on
what I assume are system-provided APIs to do the same, perhaps via the
nscd service that most of us run without knowing it. The only reason I
can come up with for them being written that way (at least a reason with
logic behind it) is cross-platform compatibility, meaning it may be easier
to implement a library that does this within a given application once
which works on multiple platforms rather than maintaining multiple bits of
code for various platforms, all which do the same thing. ‘ssh’ and
Firefox are both examples of cross-platform code.

Anyway, in my case SSH also failed and using the -4 switch also let it work.

Good luck.

On 09/21/2010 06:36 PM, RBEmerson wrote:
>
> Progress! I’m in on port 5022 as best I can tell (netstat doesn’t show
> anything about port 5022), and the password issue didn’t arise. That
> is, I signed in as I would for a normal terminal session. Other than
> adding the verbose switch, what has changed? Does the port argument (
> -p ) belong -before- the user@addy section of the command? I wrote ssh
> system@samwise.pinefields.com -p 5022 in my initial trials.
>
> DOH… just answered my own question… the difference is
> samwise.pinefields.com triggers a DNS lookup and I get back an IP that I
> don’t immediately recognize. It seems to be a Network Solutions DNS
> server or something close to it, but it’s nothing I expect to find.
> That’s odd, because I thought the /etc/hosts entry would take
> precedence. What am I not understanding in this mess with the address?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMmWDQAAoJEF+XTK08PnB5DJQP/3BcHeZOjArN1/rsBXHPO6BZ
PNKzUwL7i9iSkddqDcEgLMNUsuosLGNDYW9a5yX9a3M3geueeo+WIXJvUaUyyTq+
zOWKyyQaTftkMb8+eBMmdeL0h+s/4OZe9guoWXIjFOJ0qIsYMH06e6TuCaV5QH6W
OnikHAzXWUFXYtbIxIZKTnn/vCz/+m6osnmpc2UsQpaPyMFNVpXYx+DTPCGs8sL3
Sr7/qG0C96oacmODXviNZIJvjLJpW1oOUeXUCWBotdvMHmjSVM1ZUyU/50rSogrr
qC1+8i/4sRdl58aiw+vQEsJyZfTBXcd3T/G08BRqNKnAhzHra4cPh5oQ1TV7MyVA
H/+qlNEYp5d+sro3TatlW6Go+wHavD86OcGsmq0etFIXq5p5ahCiej4uHDu3dYvd
RrC+K6tO8tLqGjt4d6EVDgM3jEHV6qPyfTnhj292K1ZlCXKWCeuvPYuhZZBF+mge
bNDfp6oA9ZFQtheuVVVQSJdk1FLFpEr0V4aB613L27S2t6C50lRNMRqA+hODFtPn
+FCuOYV0bgzpIMV5f921CQRli7caCrRJOkpnOI2+RbQj0IW2egaTe3kmbt6b8fkX
oofKhrzh1xDPASA2lOp07DhBmvjUiQODEjTKw7gyDU0q9HjCE5O+YUe2O+CDEgPW
ESTo8RBSRoHRdIOdkPqK
=A8kI
-----END PGP SIGNATURE-----

Sigh… what I’m not understanding is how to spell. There was a typo in /etc/hosts, defining samwise as samwise.pienfields.com instead of samwise.pinefields.com. [/facepalm]

So… at this point I can get into samwise locally, which is all I want for the moment. Coming from the outside, using PuTTY, is an exercise for another day.

NTL, I’d like some help with understanding why I can’t find a trace of sshd being tied to port 5022 and why sshd seems to be listening to port 22, as well. When I’m done with testing, I want port 22 deader than dead and sshd listening somewhere else. I thought that was sshd_config’s job - to use only the port listed in the config file. [/headscratch]

OK, port 22 is now deader than dead. Dunno quite what I did to do that but it’s dead. But I still can’t remotely connect to samwise. I can remotely connect to wxsat as before. In desperation, I changed samwise’s sshd daemon to listen on port 5122 (wxsat uses this, too). In my router’s port forwarding, if I apply forward TCP/UDP to 5122 and use wxsat’s static IP, all things work on wxsat. If I remove that rule and put in exactly the same rule only with samwise’s IP, the connection attempt times out. Local connections to samwise through port 5122 - works like a charm. But not from the outside. ARGH!!! / banghead]

FWIW, because I’m plagued with a dynamic IP for the router, I’m using dyn.com’s free dynamic routing service. AFAIK, it only cares about my router’s public IP and doesn’t seem to know about wxsat’s local IP (nor, AFAIK, should it).